chore: migrate to reusable PyPI publish workflow#11
Merged
Conversation
|
Auto Review (Round 1) — Changes Requested 主要问题:permissions 块在调用 reusable workflow 的 job 中无效,id-token: write 可能无法传递,导致 OIDC trusted publisher 发布失败。另有可复用工作流锁定到 @main 可变 ref 的供应链安全风险,以及 lint 步骤丢失和测试范围收窄的问题,需确认后再合并。
修复方案:将 permissions 移至 workflow 顶层(on: 之后、jobs: 之前): permissions:
id-token: write
contents: read
jobs:
publish:
uses: liuxiaotong/knowlyr-workflows/...或者确认 reusable workflow 内部已自行声明
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
knowlyr-workflows/reusable-publish-pypi.ymlTest plan
v*tag push triggers the reusable workflow correctly